London Drugs ransom demand vanishes hours before looming deadline
Posted May 22, 2024 3:29 pm.
Last Updated May 23, 2024 7:01 am.
The ransomware group targeting London Drugs has removed its ransom demand from the internet, hours before the time the retailer was ordered to pay millions of dollars, according to a threat analyst.
LockBit, the perpetrators claiming to be behind the ransom, were demanding that London Drugs pay $25 million in exchange for data stolen during the April cyberattack.
The ransomware group was threatening to leak employee information on the dark web if those demands were not met.
The initial post, which was discovered on Tuesday afternoon, included a 48-hour compliance window. However, as of late Wednesday morning, the demand has mysteriously vanished.
Emsisoft threat analyst Brett Callow believes there are a few things that might have happened.
“Possible explanations would be that London Drugs paid, or that they agreed to go back to the negotiating table. But, there are other possibilities too,” Callow told CityNews.
Callow says that it’s also not uncommon for ransomware groups to retract their demands from online listings before the deadline expires.
“That’s because it’s not uncommon for an organization to succumb to the pressure and pay.”
LockBit alleges that London Drugs had initially offered $8 million for the data, but this remains unconfirmed by the retailer.
CityNews contacted London Drugs regarding the removal of the listing. In response, the company says, “there is no update to share.”
Threat analyst believes companies should always resist ransomware demands
While it remains unclear whether London Drugs has already paid LockBit, or is currently negotiating a revised amount, Callow believes companies should always resist yielding to the demands of ransomware groups.
“The best practice is to not pay, unless it’s absolutely unavoidable,” Callow said.
He added that companies who do pay ransomware groups end up contributing to the growing problem.
“If no companies paid, there would be no more ransomware, it’s really that simple.”
“There are thousands of organizations affected each year, some pay, some don’t,” said Callow. “[Ransomware is] a very a big business.”
Callow says that ransomware groups around the world received more than $1 billion in ransoms last year.
“And, that’s only the amount that’s known, so the actual figure would have actually probably been a lot higher.”
Callow says he thinks most incidents go unreported.
“It is only the disruptive attacks on large household names [and] organizations that tend to make news. The majority of victims are actually smaller businesses.”
What do we know about LockBit?
According to Callow, LockBit is one of the most prolific ransomware operations in the world. He says the group was first active in 2019, and since then has received more than $100 million in ransom demands.
“They have successfully attacked thousands of companies,” Callow said.
“We also know their leader is based in Russia,” he added.
Earlier this month, the U.S. Department of Justice (DOJ) indicted 31-year-old Russian national Dimitry Yuryevich Khoroshev, who is believed to be LockBit’s creator, developer, and administrator.
Khoroshev was charged with 26 counts related to fraud, extortion, and damage to protected computers.
“The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States. LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” a statement from the DOJ read.
The DOJ is offering a $10 million reward for information leading to Khoroshev’s arrest.
